Remediation

Guardian Pro does not just identify issues -- it fixes them. For hundreds of finding types, Guardian Pro provides automated remediation that can resolve issues with a guided, safe workflow: preview what will change, confirm, execute, and monitor.

This page explains the full remediation lifecycle, from initial assessment to successful resolution.

Remediation Availability

Not every finding supports automated remediation. When viewing a finding in the Action Centre, you will see one of the following:

Automated remediation available -- Guardian Pro can apply the fix directly. A "Fix" or "Remediate" button is displayed.
Manual remediation only -- The fix requires manual steps. Guardian Pro provides detailed instructions and, where applicable, AWS CLI commands you can run yourself.

Findings with automated remediation are marked with a remediation badge in the Action Centre. You can filter the Action Centre to show only findings with remediation available using the filters.

info

Guardian Pro supports automated remediation across dozens of AWS services, covering hundreds of distinct finding types. The list of supported remediations grows with each release.

The Remediation Workflow

Every automated remediation follows a structured four-step workflow designed to ensure safety and transparency.

Step 1: Preview

Before any change is applied, Guardian Pro generates a remediation preview that shows you exactly what will happen:

What will change -- The specific API calls and configuration changes that will be made.
Affected resource -- The resource that will be modified, including its current configuration.
Impact summary -- A plain-language description of the effect (for example, "This will enable server-side encryption on the S3 bucket using AWS-managed keys").
Risk level -- An assessment of the remediation risk: Low, Medium, or High.
Reversibility -- Whether this remediation can be rolled back if needed.
Automated steps -- A numbered list of the exact operations Guardian Pro will perform.

The preview gives you full visibility into what will happen before you commit to any change.

tip

Always review the preview carefully, especially for High risk remediations or resources in production environments. The preview exists to ensure you are never surprised by a change.

Step 2: Confirm

After reviewing the preview, click Confirm to authorize the remediation. Guardian Pro will not make any changes until you explicitly confirm.

If you decide not to proceed, click Cancel to dismiss the preview without making any changes. The finding remains active and can be remediated later.

Step 3: Execute

Once confirmed, Guardian Pro executes the remediation through a secure, automated pipeline:

The remediation strategy is invoked with the specific resource and configuration.
The required AWS API calls are made using the IAM role deployed during onboarding.
A snapshot of the resource's pre-remediation state is captured (for rollback purposes, if applicable).
The fix is applied.

During execution, the finding's status changes to Remediating.

Step 4: Monitor

You can track remediation progress in real time through the Remediation Activity Monitor, which appears at the bottom of the Action Centre. The monitor shows:

Active remediations and their current status.
Completed remediations with their results (success or failure).
Any errors encountered during execution.

Real-time updates are pushed directly to your browser -- no manual refreshing is required.

Once the remediation completes successfully, the finding's status changes to Remediated, and your health score recalculates to reflect the improvement.

Infrastructure-as-Code Awareness

Guardian Pro is aware of resources managed by AWS CloudFormation. This matters because remediating a CloudFormation-managed resource directly (outside of the template) creates configuration drift -- the resource's actual state diverges from its template definition.

How It Works

When you remediate a finding on a resource that Guardian Pro detects is managed by CloudFormation:

The remediation is applied directly to resolve the immediate issue.
Guardian Pro creates an additional advisory finding -- Template Update Needed -- flagging that the CloudFormation template should be updated to match the new configuration.
The advisory includes guidance on what to change in the template to prevent the issue from recurring on the next stack update.

This two-step approach ensures that immediate security gaps are closed without waiting for a full infrastructure-as-code update cycle, while still maintaining awareness of template drift.

caution

If you do not update the CloudFormation template after a direct remediation, the next stack update may revert your fix. Always follow up on Template Update Needed findings to make your remediation permanent.

Remediation Risk Levels

Each remediation is assessed for risk before execution:

Risk Level	Description	Examples
Low	Minimal chance of disruption. Typically additive changes.	Enabling encryption, adding tags, enabling versioning.
Medium	May cause brief disruption or change resource behavior.	Modifying security group rules, changing instance types (requires restart).
High	Could cause significant disruption if not handled carefully.	Modifying IAM policies, changing network configurations, restricting access.

The risk level is displayed prominently in the remediation preview, along with the reversibility status.

Remediation After Completion

After a remediation completes:

The finding status changes to Remediated.
The health score recalculates.
An audit trail entry is created, recording who authorized the remediation, when it was applied, and what changed.
If the remediation is reversible, a Rollback option becomes available. See Rollback.

On the next scan, Guardian Pro re-evaluates the check against the resource. If the fix is still in place, the finding remains in Remediated status. If the issue has reappeared (for example, due to a CloudFormation stack update reverting the change), the finding will return to Active status.

Manual Remediation

For findings without automated remediation, Guardian Pro provides:

Step-by-step instructions -- Clear, detailed guidance for resolving the issue manually.
AWS CLI commands -- Ready-to-run CLI commands with placeholders for your specific resource identifiers.
Console navigation -- Directions to the relevant AWS Console page.

After manually resolving an issue, run a new scan to verify the fix. Guardian Pro will automatically detect that the issue is resolved and close the finding.

Permissions Required

Automated remediation requires write permissions in the target AWS account. These permissions are provisioned through the IAM roles deployed during onboarding:

Member Role -- Deployed to each account via StackSets. Includes permissions for common remediation actions.
Single Account Role -- For non-Organization setups, deployed directly.

If a remediation fails due to insufficient permissions, Guardian Pro will report the specific permission that is missing, along with the IAM policy statement needed to grant it.

Frequently Asked Questions

Can I remediate findings in production accounts?

Yes. Guardian Pro does not distinguish between production and non-production accounts. However, you should always review the remediation preview carefully, paying attention to the risk level and impact summary, before confirming a remediation in production.

What happens if a remediation fails?

If a remediation fails, the finding remains in Active status (or moves to a failed state with an error message). No partial changes are left behind. You can review the error in the Remediation Activity Monitor and retry or investigate manually.

Can I schedule remediations for later?

Currently, remediations are executed immediately upon confirmation. If you want to apply fixes during a maintenance window, simply wait to confirm the remediation until the appropriate time.

How do I know what was changed?

Every remediation creates an audit trail entry with the full details of what changed, including the pre-remediation state (snapshot), the actions taken, and the post-remediation state. This audit trail is accessible from the finding's detail drawer.

Next Steps

Rollback -- Learn how to reverse a remediation.
Bulk Actions -- Remediate multiple findings at once.
Understanding Findings -- Review finding severity and status.
Action Centre Overview -- Return to the full overview.

Remediation Availability​

The Remediation Workflow​

Step 1: Preview​

Step 2: Confirm​

Step 3: Execute​

Step 4: Monitor​

Infrastructure-as-Code Awareness​

How It Works​

Remediation Risk Levels​

Remediation After Completion​

Manual Remediation​

Permissions Required​

Frequently Asked Questions​

Can I remediate findings in production accounts?​

What happens if a remediation fails?​

Can I schedule remediations for later?​

How do I know what was changed?​

Next Steps​